SECURITY and PRIVACY in DYNAMIC ENVIRONMENTS IFIP - the International Federation for Information Processing

Home , University of Fribourg, University of Regensburg

SECURITY AND PRIVACY IN DYNAMIC ENVIRONMENTS IFIP - The International Federation for Information Processing

IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year. An umbrella organization for societies working in information processing, IFIP's aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations. As its mission statement clearly states,

IFIP's mission is to be the leading, truly international, apolitical organization which encourages and assists in the development, exploitation and application of information technology for the benefit of all people.

IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It operates through a number of technical committees, which organize events and publications. IFIP's events range from an international congress to local seminars, but the most important are:

The IFIP World Computer Congress, held every second year; Open conferences; Working conferences.

The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented. Contributed papers are rigorously refereed and the rejection rate is high.

As with the Congress, participation in the open conferences is open to all and papers may be invited or submitted. Again, submitted papers are stringently refereed.

The working conferences are structured differently. They are usually run by a working group and attendance is small and by invitation only. Their purpose is to create an atmosphere conducive to innovation and development. Refereeing is less rigorous and papers are subjected to extensive group discussion.

Publications arising from IFIP events vary. The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers.

Any national society whose primary activity is in information may apply to become a full member of IFIP, although full membership is restricted to one society per country. Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership. Associate members enjoy the same benefits as full members, but without voting rights. Corresponding members are not represented in IFIP bodies. Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered. SECURITY AND PRIVACY IN DYNAMIC ENVIRONMENTS

Proceedings of the IFIP TC-1 1 2 1st International Information Security Conference (SEC 2006), 22-24 May 2006, Karlstad, Sweden.

Edited by

Simone Fischer-Hubner Karlstad University, Sweden

Kai Rannenberg Coethe University, Frankfurt, Germany

Louise Yngstrom Stockholm University/Royal Institute of Technology, Sweden

Stefan Lindskog Karlstad University, Sweden

Q- Springer Library of Congress Control Number: 2006923022

Security and Privacy in Dynamic Environments Edited by S.Fischer-Hiibner, K. Rannenberg, L. Yngstrom, and S. Lindskog

p, cm. (IFIP International Federation for Information Processing, a Springer Series in Computer Science)

ISSN: 1571-5736 1 1861-2288 (Internet) ISBN: 10: 0-387-33405-X ISBN: 13: 9780-387-33405-X eISBN: 10: 0-387-33406-8 Printed on acid-free paper

Copyright O 2006 by lntemational Federation for Information Processing. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc., 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

Printed in the United States of America Foreword

This book contains the Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIPISEC 2006) on "Security and Privacy in Dynamic Environ- ments" held in May 22-24 2006 in Karlstad, Sweden. The first IFIPISEC conference was arranged in May 1983 in Stockholm, Sweden, one year before TC- 11 was founded, with the active participation of the Swedish IT Security Community. The IFIPISEC conferences have since then become the flagship events of TC-11. We are very pleased that we succeeded with our bid to after 23 years hold the IFIPISEC conference again in Sweden. The IT environment now includes novel, dynamic approaches such as mobility, wearability, ubiquity, ad hoc use, mindhody orientation, and businesslmarket orientation. This modem environment challenges the whole information security research community to focus on interdisciplinary and holistic approaches whilst retaining the benefit of previous research efforts. Papers offering research contributions focusing on dynamic environments in addition to other aspects of computer security and privacy were solicited for submission to IFIPISEC 2006. We received 141 submissions which were all reviewed by at least three members of the international program committee. At a one-day program committee meeting, the submitted papers were discussed, and 35 papers were selected for presentation at the conference, which means an acceptance rate of 24.8%. A special emphasis of IFIPISEC 2006 is on Privacy and Privacy Enhanc- ing Technologies, which is addressed by 9 of the 35 accepted papers. Further topics addressed include security in mobile and ad hoc networks, access control for dynamic environments, new forms of attacks, security awareness, intrusion detection and network forensics. These Proceedings also include the papers of the following two workshops that are associated with SEC 2006: the workshop on "Security Culture" organized by IFIP Working Group 11.111 1.8 as well as the I-NetSec'06 workshop on "Privacy and Anonymity Issues in Networked and Distributed Systems" organized by IFIP Work- ing Group 11.4. Both workshops were organized autonomously by the respective IFIP Working Groups. They had their own call for papers, program committees, and selec- tion processes with acceptance rates of papers similar to the one of the main IFIPISEC 2006 conference. IFIPISEC 2006 is organized in cooperation with Karlstad University, SIG Security, and Datafireningen i Sverige. We would like to thank Microsoft AB, Karlstads kommun, SAAB AB, and TietoEnator, who are sponsoring IFIPISEC 2006. Furthermore, we gratefully thank all authors, members of the program committees, and additional reviewers for their contributions to the scientific quality of this conference and the two workshops. Last but not least, we owe thanks to the organizing committee, and espe- cially to its chair Dr. Albin Zuccato, for all the efforts and dedication in preparing this conference. February 2006

Simone Fischer-Hiibner (Conference General Chair) Kai Rannenberg and Louise Yngstrom (Program Committee Co-Chairs) Stefan Lindskog (Publication Chair) Organization

IFIPISEC 2006 is organized by IFIP TC-I 1 (Technical Committee on Security & Pro- tection in Information Processing Systems) in cooperation with Karlstad University, SIG Security, and Dataforeningen i Sverige.

Conference Chairs

Conference General Chair Simone Fischer-Hiibner, Karlstad University, Sweden

Program Committee Co-Chairs Kai Rannenberg, Goethe University Frankfurt, Germany Louise Yngstrom, Stockholm UniversityRoyal Institute of Technology, Sweden

Organizing Committee Chair Albin Zuccato, Karlstad University, Sweden

Publication Chair Stefan Lindskog, Karlstad University, Sweden

Sponsorship Chair Christer Magnusson, Stockholm UniversityRoyal Institute of Technology, Sweden

Program Committee

Helen Armstrong, Curtin University, Australia Tuomas Aura, Microsoft Research, UK Richard Baskerville, Georgia State University, USA Rolf Blom, Ericsson Research, Sweden Reinhard Botha, Nelson Mandela Metropolitan University, South Africa Caspar Bowden, Microsoft EMEA Technology Office, UK Bill Caelli, Queensland University of Technology, Australia Jan Camenisch, IBM Zurich Research Laboratory, Switzerland Bruce Christianson, University of Hertfordshire, UK Roger Clarke, Xamax Consultancy, Australia Richard Clayton, University of Cambridge, UK Frkdkric Cuppens, ENST Bretagne, France Mads Dam, Royal Institute of Technology, Sweden Bart De Decker, Katholieke Universiteit Leuven, Belgium Yves Deswarte, LAAS-CNRS, France Ronald Dodge, United States Military Academy, USA Mariki Eloff, University of South Africa, South Africa Jan Eloff, University of Pretoria, South Africa Ulfar Erlingsson, Microsoft Research, USA Hannes Federrath, University of Regensburg, Germany Steven Furnell, University of Plymouth, UK Virgil D. Gligor, University of Maryland, USA Viiveke Fik, Linkoping University, Sweden Dieter Gollmann, TU Harburg, Germany Rudiger Grimm, Technische UniversitZt Ilmenau, Germany Dimitris Gritzalis, Athens University of Economics & Business, Greece Mahrnoud T. El-Hadidi, Cairo University, Egypt Mant Hansen, Independent Centre for Privacy Protection Schleswig-Holstein, Germany Sushi1 Jajodia, George Mason University, USA Erland Jonsson, Chalmers University of Technology, Sweden Audun Jssang, DSTC Security Unit, Australia Anas Abou El Kalam, LIFO - CNRS, France Sokratis Katsikas, University of the Aegean, Greece Dogan Kesdogan, RWTH Aachen, Germany Hiroaki Kikuchi, Tokai University, Japan HLkan Kvarnstrom, TeliaSonera, Sweden Svein J. Knapskog, NTU, Norway Jsrn Knudsen, Copenhagen Hospital Corporation, Denmark Stefan Lindskog, Karlstad University, Sweden William List, Firm Wm. List & Co, UK Les Labuschagne, University of Johannesburg, South Africa Jussipekka Leiwo, Nanyang Technological University, Singapore Dennis Longley, Queensland University of Technology, Australia Javier Lopez, University of Malaga, Spain Christer Magnusson, Stockholm UniversitylRoyal Institute of Technology, Sweden Vijay Masurkar, Sun Microsystems, Inc., USA Vashek Matyas, Masaryk University Brno, Czech Republic Hermann de Meer, Passau University, Germany Refik Molva, Institut Eurecom, France Giinter Muller, University of Freiburg, Germany Yuko Murayama, Iwate Prefectural University, Japan Eiji Okamoto, University of Tsukuba, Japan Giinther Pernul, University of Regensburg, Germany Andreas Pfitzmann, Dresden University of Technology, Germany Hartmut Pohl, University of Applied Sciences Bonn-Rhein-Sieg, Germany Joachim Posegga, Hamburg University, Germany Bart Preneel, Katholieke Universiteit Leuven, Belgium Sihan Qing, Chinese Academy of Sciences, China Daniel J. Ragsdale, United States Military Academy, USA Indrajit Ray, Colorado State University, USA Hanne Riis Nielson, Technical University of Denmark, Denmark Pierangela Samarati, Universita' di Milano, Italy David Sands, Chalmers University of Technology, Sweden Ryoichi Sasaki, Tokyo Denki University, Japan Ingrid Schaumiiller-Bichl,ITSB Linz, Austria Matthias Schunter, IBM Zurich Research Laboratory, Switzerland Anne Karen Seip, Kredittilsynet (FSA), Norway Andrei Serjantov, The Free Haven Project, UK Nahid Shahmehri, Linkoping University, Sweden Leon Strous, De Nederlandsche Bank, The Netherlands Masato Terada, Hitachi Ltd., Japan Stephanie Teufel, University of Fribourg, Switzerland Teemupekka Virtanen, Helsinki University of Technology, Finland Basie von Solms, University of Johannesburg, South Africa Rossouw von Solms, Nelson Mandela Metropolitan University, South Africa Jozef Vyskoc, VaF, Slovak Republic Matthew Warren, Deakin University, Australia Tatjana Welzer, University of Maribor, Slovenia Gunnar Wenngren, Swedish Defence Research Agency (FOI), Sweden Felix Wu, University of California, USA Hiroshi Yoshiura, The University of Electro-Communications, Japan Albin Zuccato, Karlstad University, Sweden

Additional Reviewers

Eric Alata Anas Abou El Kalam Magnus Almgren Ludwig Fuchs Fabien Autrel Joaquin Garcia Jabiri Kuwe Bakari Stelios Georgiou Theodore Balopoulos Steven Gevers Zinaida Benenson Almut Herzog Nafeesa Bohra Amine Houyou Philippe Bulens Martin Johns Sudip Chakraborty George Kambourakis Sebastian Claulj Ioanna Kantzavelou Stefano Crosta Guenter Ka rjoth Sabrina De Capitani di Vimercati Maria Karyda Ivan Dedinski Stefan Koepsell Liesje Demuynck Jan Kolter Wolfgang Dobmeier Markus Kuhn Stelios Dritsas Tobias Kolsch Claudiu Duma Patrick Lambrix Ulf Larson Henrich C. Pi5hls Jens-Ove Lauf Rodrigo Roman Soo Bum Lee Christoffer Rosenkilde Nielsen Dimitris Lekkas Rene Rydhof Hansen Tina Lindgren Christian Schlager Henning Makholm Daniel Schreckling Martin Meints Jan Seedorf Patrick S. Merten Sandra Steinbrecher Pietro Michiardi Martin Steinert Ilya Mironov Gelareh Taban Jose A. Montenegro Marianthi Theoharidou Bjorn Muschall Kerry-Lynn Thomson Gregory Neven Terkel Tolstrup Flemming Nielson Bill Tsoumas Svetla Nikova Johan van Niekerk Thomas Nowey Robert N. Watson Jens Oberender Rolf Wendolsky Andriy Panchenko Kristof Verslype Lexi Pimenidis Andreas Westfeld Klaus Ploessl Yu Yu Nayot Poolsappasit Ye Zhang Torsten Priebe Melek (hen Thomas Probst

Organizing Committee Christer Andersson, Karlstad University, Sweden Johan Eklund, Karlstad University, Sweden Leonardo A. Martucci, Karlstad University, Sweden

Main Sponsor Microsoft AB

Sponsors Karlstads kommun SAAB AB TietoEnator

IFIP WG 11.1l11.8 Security Culture Workshop

Workshop Chairs Steven Furnell, University of Plymouth, UK (Chair WG 11.1) Daniel J. Ragsdale, United States Military Academy, USA (Chair WG 1 1.8)

Program Committee Helen Armstrong, Curtin University, Australia Matthew Bishop, University of California at Davis, USA Jeimy Cano, Universidad de 10s Andes, Bogod, Colombia Ronald Dodge, United States Military Academy, USA Paul Dowland, University of Plymouth, UK Lynette Drevin, Potchefstroom University, South Africa Jean-Noel Ezingeard, Henley Management College, UK Steven Furnell, University of Plymouth, UK Lynn Futcher, Nelson Mandela Metropolitan University, South Africa Dimitris Gritzalis, Athens University of Economics & Business, Greece Jorma Kajava, University of Lapland, Finland Sokratis Katsikas, University of the Aegean, Greece Phillip Lock, University of South Australia, Australia Natalia Miloslavskaya, Moscow Engineering Physics Institute, Russia Ahrned Patel, Centre for Network Planning (CPN), Aalborg University, Denmark Guenther Pemul, University of Regensburg, Germany Reijo Savola, VTT Technical Research Centre of Finland, Finland Jill Slay, University of South Australia, Australia Stephanie Teufel, University of Fribourg, Switzerland Alexander Tolstoy, Moscow Engineering Physics Institute, Russia Rossouw von Solrns, Nelson Mandela Metropolitan University, South Africa Louise Yngstrom, Stockholm UniversityiRoyal Institute of Technology, Sweden

IFIP WG 11.4 I-NetSec'06 Workshop

Program Committee Chair Bart De Decker, Katholieke Universiteit Leuven, Belgium

Program Committee Yves Deswarte, LAAS-CNRS, France Hannes Federrath, University of Regensburg, Germany Simone Fischer-Hiibner, Karlstad University, Sweden Keith Martin, Royal Holloway, University of London, UK Refik Molva, Institut Eurecom, France Andreas Pfitzmann, Dresden University of Technology, Germany Kai Rannenberg, Goethe University Frankfurt, Germany Pierangela Samarati, Universita' di Milano, Italy Vitaly Shmatikov, SRI International, USA Table of Contents

Privacy and Privacy-Enhancing Technologies I

Improving Availability of Emergency Health Information without Sacrificing Patient Privacy ...... 1 Inger Anne T0ndel

Ensuring Privacy for Buyer-Seller E-Commerce ...... 13 George Ee, Larry Korba, and Ronggong Song

A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures ...... 25 Jan Camenisch, Dieter Sommer, and Roger Zimmermann Security in Mobile and Ad Hoc Networks

Authenticated Query Flooding in Sensor Networks ...... 38 Zinaida Benenson, Felix C. Freiling, Ernest Hammerschmidt, Stefan Lucks, and Lexi Pimenidis

Identity Based Message Authentication for Dynamic Networks ...... 50 Pietro Michiardi and Rejk Molva

Providing Authentication and Access Control in Vehicular Network Environment 62 Hasnaa Moustafa, Gilles Bourdon, and Yvon Gourhant Trust and Security Management

A Framework for Web Services Trust...... 74 Marijke Coetzee and Jan Eloff

Trust: An Element of Security ...... 87 Stephen Flowerday and Rossouw von Solms

Security-by-Ontology: A Knowledge-Centric Approach ...... 99 Bill Tsoumas, Panagiotis Papagiannakopoulos, Stelios Dritsas, and Dimitris Gritzalis Privacy Enhancing Technologies I1

A Methodology for Designing Controlled Anonymous Applications ...... 1 11 fincent Naessens and Bart De Decker Design Options for Privacy-Respecting Reputation Systems within Centralised Internet Communities ...... 123 Sandra Steinbrecher Protecting (Anonymous) Credentials with the Trusted Computing Group's Trusted Platform Modules V1.2 ...... 135 Jan Camenisch Attacks, Vulnerability Analysis, and Tools Analysis and Improvement of Anti-Phishing Schemes ...... 148 Dinei Flordncio and Cormac Herley

CAT - A Practical Graph & SDL Based Toolkit for Vulnerability Assessment of3GNetworks ...... 158 Kameswari Kotapati, Peng Liu, and Thomas E LaPorta Protecting Web Services from DOS Attacks by SOAP Message Validation ..... 171 Nils Gruschka and Norbert Luttenberger Access Control and Authentication I A Flexible and Distributed Architecture to Enforce Dynamic Access Control ... 183 Thieny Sans, Frtdtric Cuppens, and Nora Cuppens-Boulahia A Paradigm for Dynamic and Decentralized Administration of Access Control in Worldlow Applications ...... 196 Andreas Mattas, Ioannins Mavridis, and Iason Pagkalos CASH: An Open Source Single Sign-on Solution for Secure E-services ...... 208 Claudio Agostino Ardagna, Ernesto Damiani, Sabrina De Capitani di Vimercati, Fulvio Frati, and Pierangela Samarati Security Protocols A Synchronous Multi-Party Contract Signing Protocol Improving Lower Boundofsteps ...... 221 Jianying Zhou, Jose A. Onieva, and Javier Lopez

On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol ..... 233 Michael Backes and Birgit Pfitzmann Sealed-Bid Micro Auctions...... 246 Kun Peng, Colin Boyd, and Ed Dawson Intrusion Detection Detecting Known and Novel Network Intrusions ...... 258 Yacine Bouzida and Frddtric Cuppens Evaluating Classifiers for Mobile-Masquerader Detection...... 271 Oleksiy Mazhelis, Seppo Puuronen, and Mika Raento ~sFlowCluster-IP:Connectivity-Based Visual Clustering of Network Hosts. ... 284 Xiaoxin En, William Yurcik, andAdam Slagell Usability and Awareness A Usability Study of Security Policy Management ...... 296 Almut Herzog and Nahid Shahmehri Considering the Usability of End-User Security Software ...... 307 Steven Furnell, Adila Jusoh, Dimitris Katsabas, and Paul Dowland Utilizing the Common Criteria for Advanced Student Research Projects ...... 3 17 Thuy D. Nguyen and Cynthia E. Iwine Privacy Enhancing Technologies I11 On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems 329 Rafael Accorsi Privacy-Preserving Shared-Additive-Inverse Protocols and Their Applications . . 340 Huafei Zhu, Ticyan Li, and Feng Bao Access Control and Authentication I1 ClickPasswords ...... Darko Kirovski, Nebojia JojiC, and Paul Roberts Cryptographically Enforced Personalized Role-Based Access Control ...... Milan PetkoviC, Claudine Conrado, and Malik Hammoutdne Access Control and Authentication I11 Using VO Concept for Managing Dynamic Security Associations ...... Yuri Demchenko, Leon Gommans, and Cees de Laat Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets ...... Martin Gilje Jaatun, Inger Anne Tondel, Frederic Paint, Tor Hjalmar Johannessen, John Charles Francis, and Claire Duranton Forensics Network Forensics on Packet Fingerprints ...... Chia Yuan Cho, Sin Eung Lee, Chung Pheng Tan, and Yong Tai Tan Oscar - File Type Identification of Binary Data in Disk Clusters and RAM Pages Martin Kawesand and Nahid Shahmehri IFIP WG 11.1/11.8 Security Culture Workshop Organizational Security Culture: More Than Just an End-User Phenomenon .... 425 Anthonie B. Ruighaver and Sean B. Maynard Cyber Security Training and Awareness Through Game Play ...... 43 1 Benjamin D. Cone, Michael l? Thompson, Cynthia E. Zrvine, and Thuy D. Nguyen Internalisation of Information Security Culture amongst Employees through BasicSecurityKnowledge ...... 437 Omar Zakaria Bridging the Gap between General Management and Technicians - A Case StudyinICTSecurity ...... 442 Jabiri Kuwe Bakari, Charles N. Tarimo, Christer Magnusson, and Louise Yngstrom Value-Focused Assessment of Information Communication and Technology Security Awareness in an Academic Environment...... 448 Lynette Drevin, Hennie Kvugel; and Tjaart Stqn Using Phishing for User Email Security Awareness...... 454 Ronald C. Dodge and Aaron J. Ferguson IFIP WG 11.4 I-NetSec'06 Workshop Invited Talk: Anonymous Credentials: Opportunities and Challenges ...... 460 Jan Camenisch Practical Private Regular Expression Matching ...... 461 Florian Kerschbaum A System for Privacy-Aware Resource Allocation and Data Processing in Dynamic Environments...... 47 1 Siani Pearson and Marco Casassa-Mont The APROB-Channel: Adaptive Semi-Real-Time Anonymous Communication . 483 Gergely Tdth and Zoltrin Hornrik

Author Index...... 493